path: root/doc/stats/conntrackd.conf
Commit message (Collapse)AuthorAgeFilesLines
* systemd: default to use libsystemd if build with support for itArturo Borrero Gonzalez2018-04-181-1/+1
| | | | | | | | | | | | | | We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: make the daemon run in RT mode by defaultArturo Borrero Gonzalez2017-06-121-19/+0
| | | | | | | | | | | | | | | | | | | | | | | In order to prevent netlink buffer overrun, conntrackd is recommended to run at max priority. Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority. This is common among other HA daemons. For example corosync uses SCHED_RR by default. The scheduler configuration option is kept in order to allow admins to perform fine-tuning, but it is deleted from example configuration files. Note that this default sched priority is so high that it makes the nice value useless, so deprecate the nice configuration. Anyway the nice value can be set externally at runtime using nice/renice. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: deprecate unix backlog configurationArturo Borrero Gonzalez2017-06-061-1/+0
| | | | | | | | | This configuration option doesn't add any value to users. Use the magic value of 100 (i.e, the socket will keep 100 pending connections), which I think is fair enough for what conntrackd can do in the unix socket. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: Disable runtime systemd support by defaultPablo Neira Ayuso2016-02-171-2/+2
| | | | | | | | | | | | By default, conntrackd is compiled with no built-in systemd support. This patch updates the default runtime behaviour to be consistent with what ./configure provides by default. Thus, users should explicitly indicate "Systemd On" in their configuration file to enable this. This shouldn't cause any problem to old users of conntrackd. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: add systemd supportArturo Borrero2015-11-171-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds basic systemd support. The feature can be enabled/disabled at configure time: ./configure --disable-systemd Also, at runtime in conntrackd.conf General { Systemd on|off } (by default it's enabled both at runtime and at configure time) * tell systemd about conntrackd readiness: When conntrackd starts, it will send systemd the data "READY=1". At the point the data is sent, conntrackd is fully ready to work (configuration was OK, sockets OK, et all), so other actions depending on conntrackd can be safely chained in the machine boot process. * tell systemd about conntrackd shutting down: If the admin kills conntrackd with `conntrackd -k', the data "STOPPING=1" will be send to systemd so it learns about the daemon shutting down. Same for manual signals. * watchdog support: The admin can configure systemd to watch the conntrackd daemon and perform some actions if conntrackd dies: restart it, reboot the machine, etc... Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: PollSecs goes in the General clause for statisticsPablo Neira Ayuso2010-02-281-12/+12
| | | | | | | | This patch fixes the configuration file that includes an example of the PollSecs clause in Stats. This is wrong since it should go in the General clause. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: fix UDP filtering in configuration filePablo Neira Ayuso2010-02-111-0/+1
| | | | | | | | UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso2009-07-211-0/+1
| | | | | | | This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso2009-07-211-0/+7
| | | | | | | | This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <>
* conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso2009-04-141-0/+11
| | | | | | | | With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <>
* config: add NetlinkBufferSize and NetlinkBufferSizeMaxGrowthPablo Neira Ayuso2009-02-211-2/+2
| | | | | | | | This patch adds two alias that removes an inconsistency in the configuration file names. Now, the clauses that refers to Netlink starts by the prefix "Netlink". Signed-off-by: Pablo Neira Ayuso <>
* src: add Nice clause to set the nice valuePablo Neira Ayuso2009-02-081-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <>
* src: add state polling support (oppossed to current event-driven)Pablo Neira Ayuso2009-01-171-0/+12
| | | | | | | | | | | | This patch adds the clause PollSecs that changes the normal behaviour of conntrackd. With PollSecs set to > 0, conntrackd polls every N seconds the entries. This is the opposed behaviour of an event-driven behaviour but may be useful for those that have really strong limitations in terms of CPU consumption and want to perform a relaxed replication. Signed-off-by: Pablo Neira Ayuso <>
* config: use /var/run to create the UNIX socket filePablo Neira Ayuso2008-09-181-1/+1
| | | | | | | | This patch removes the use of /tmp to create the UNIX socket file to communicate with conntrackd in the example configuration files. This was OK in the early alpha days, but not anymore. Signed-off-by: Pablo Neira Ayuso <>
* fix: wrong information related to default logging actionPablo Neira Ayuso2008-08-011-3/+3
| | | | | | Logging is set off by default instead of what the example files state. Signed-off-by: Pablo Neira Ayuso <>
* Major rework of the user-space event filteringPablo Neira Ayuso2008-07-221-21/+33
| | | | | | | | | | This patch reworks the user-space filtering. Although we have kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace filtering to ensure backward compatibility. Moreover, this patch prepares the implementation of the kernel-space filtering via libnetfilter_conntrack's high-level berkeley socket filter API. Signed-off-by: Pablo Neira Ayuso <>
* Max Kellermann <>:/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-181-10/+0
| | | | Simplify logging infrastructure
* implement buffered connection logging to improve performance/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-051-0/+10
* add more descriptive information to the conntrackd.conf example file for the ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-031-1/+2
| | | | stats mode
* o add support for connection logging to the statistics mode via Logfile/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-031-5/+17
| | | | | | o minor irrelevant fixes for uncommon error paths and fix several typos o use LOG_INFO for connection logging, use LOG_NOTICE for other information o minor error handling updates
* rename `examples' directory to `doc'Ayuso/emailAddress=pablo@netfilter.org2007-12-231-0/+76